Sunday, May 25, 2008

Verified By Idiots

Yesterday I was helping a friend order something online. It was the first time she'd used her Visa card to purchase something on the internet, so she had to go through the steps to create a Verified By Visa password. Verified By Visa is a service that Visa performs that basically creates an out-of-band authentication whenever you make a purchase with participating retailers. So basically, it adds another bit of authentication to your purchase - not only do you need the credit card details and CVV, but also this password you set up with Visa.

So far, so good. I really can't complain about that. Problem was, when my friend tried to enter her usual password, which is a decent password (non-dictionary, both letters and numbers), a Javascript alert box popped up saying her password did not meet the Password Policy, please try again. It didn't say why.

So she and I started trying all kinds of things to make her password better, introducing more characters, mixed case, more numerals, special characters, all over the place but to no avail. Same message every time. At this point, I was already annoyed that they do this checking client-side (hence the Javascript alert box) and I considered bypassing the script and forcing it through anyway. But, just to be a good sport, I decided to look at their code to find out what the damn Password Policy requires.

Let me back up: I had to look at the code because I looked at the "Verified By Visa" FAQ pages about password requirements and they said that the password policies are set by the card issuer. Well then.

So I viewed the source of the frame containing the Verified By Visa password entry form. I didn't see the code for the alert box there, so I looked for includes that might contain it. "pwdbase.js" looked promising, and sure enough, there it was. The javascript file is currently here . (Yes, the card was issued by Wells Fargo.)

So I looked through the code, found the alerts about the password policy, and finally found the offending code:

else if( (/\W/).test(document.passwdForm.pin1.value) || (document.passwdForm.pin1.value.length < 6) || (document.passwdForm.pin1.value.length > 8) )
alert("Your password does not conform to the Password Policy. Please try again.");
return false;
I almost couldn't believe it, but I know people are idiots. The reason it wouldn't accept the password is that PASSWORDS CANNOT BE LONGER THAN EIGHT CHARACTERS, and hers is longer.

Un-fucking-believable. Let alone the fact that they do their checking client-side, which at best is unnecessary (if they're not brain-dead and do checking server-side too), and at worst allows any password to be sent, even a blank one. Let alone their popup boxes that tell you nothing (browsing the code, you can see one that helpfully says "isbad " and then the password you entered). This extra bit of security, that involves your name, address, SSN, and PIN (they have to verify that you're you when you set your password, after all), cannot be longer than eight characters. And I'm pretty sure, looking at the rest of the code, that it can only contain letters and numbers.

I wish this weren't so commonplace, but the fact is, I have to have a dumbed-down password that I can use for online shit like this. I had to make it exactly eight characters, and remove the special characters from it. But to see this from a BANK? In a measure that's supposed to IMPROVE security?

So I went to the website for the Wells Fargo Verified By Visa thing and I used their little contact form to send them an email. The gist of it was "Are you INSANE? I'm glad I'm not a Wells Fargo customer, and with this I'll probably never be one, since I don't know if I can trust my data with a company that does this." They emailed me back:
I understand your concern about the Verified by Visa program. This program is run by Visa directly.

For information about Verified by Visa, please contact them directly at 1-800-318-9617 for enrollments with check cards or 1-877-262-8636 for credit card enrollments. Bankers are available to assist you 24 hours a day, 7 days a week.

Chris Cataldo
Wells Fargo Online Customer Services
No, idiot. Fuck. I know it's not Chris's fault he doesn't understand the problem. But at least he could have asked his manager about it or something.

And what about these Arcot jackasses? Apparently they run all the "Verified By" programs. Maybe they could enforce a little password common fucking sense of their own? But then, their banner graphic says it all: "Strong authentication so simple, even a child can use it." Well, sorry, but I don't think credit card authentication should be so simple a child can use it. Grownups should be able to do more to protect themselves than children can. Of course, experience would suggest they can't, since everyone's inclined to type "password" into every box asking them to set a password. Maybe Wells Fargo is onto something after all, and the world isn't ready for passwords longer than eight characters. (Although if their shitty Javascript is any example, maybe someone has already snatched their client database, and if they want passwords, they only need to generate tables for six- to eight-character alphanumeric strings. Have fun!)

So here we have a team effort to produce crappy security: Arcot, not putting an ounce of effort into guaranteeing protection in the systems they set up; Wells Fargo, having client-side Javascript checking to enforce their retarded password policy; and people in general, doing the best they can to make sure it's easy to steal their data. As someone who's supposed to go forth and protect the people in general, I know I need to get used to the idea that they're trying to be bigger idiots than idiot-proof systems can handle. Fine. But it's just really disappointing to see such negligence and stupidity on the part of a bank and a credit card protection system, who should fucking know better.